Hmm...
I usually set the overrides on the chef server through role or node attributes, i haven't before tried to set them on the node directly with a file... Though it may work regardless.
You may need to include the authconfig default recipe ( recipe[authconfig] )
Testing it out, I set the attributes as such in a recipe file:
stardust:recipes rilindo$ more ldapauthtls.rb
node.override['authconfig']['sssd']['enable'] = true
node.override['authconfig']['ldap']['enable'] = true
node.override['authconfig']['ldap']['tls'] = true
node.override['authconfig']['ldap']['server'] = 'kerberos.example.com'
node.override['authconfig']['ldap']['basedn'] = 'dc=example,dc=com'
node.override['authconfig']['ldap']['auth'] = true
node.override['authconfig']['ldap']['cacerturl'] = 'http://192.168.15.100/mirrors/ks/keys/cacert.pem'
And added it in:
stardust:recipes rilindo$ knife node run_list add ldaptls "recipe[authconfig::ldapauthtls]"
run_list:
recipe[chef-client]
recipe[ohai]
recipe[authconfig::ldapauthtls]
And restarted chef-client on my test node. So far, it didn't set the configs as intended.
Perhaps it is my inexperience with chef getting in the way, but is this the right way to set it up?- RilindoOn Jan 21, 2012, at 12:45 PM, Jesse Campbell wrote:I was looking for a cookbook to manage ldap configuration on centos
6.1 vms that I'd spun up, as well as our other 300-odd centos 5.5 vms.
First looked at the openldap cookbook and wasn't terribly impressed...
it has lots of dependencies on debian locations of things that I'd
have to mess about with to make it work with centos.
Authconfig is a built-in CLI for managing auth configuration, be it
for ldap, winbind, kerberos, nis, etc. It automagically updates all of
the required files, using the new SSSD subsystem on EL6 systems.
Rather than reinventing that wheel, I decided to take advantage of the
built-in and call out to it from chef.
There was no method i found for telling authconfig to pull the
configuration from a file, so instead I build out an arguments list
from node attributes. If the file changes, it will re-run authconfig,
so it is idempotent.
The defaults follow what came on a bare centos 6.1 system, but should
work with others.
Current issue:
the functionality to tell winbind to join a domain is not included, it
seemed to need an admin user specified, and likely would prompt for a
password. Not having a domain server to test against, I did not have
any way to find out.
http://community.opscode.com/cookbooks/authconfig
I have only tested this on CentOS 6 so far, but would appreciate if
anyone else tries it to let me know if it works, or bugs they run
into...
Thanks!
-Jesse
Archive powered by MHonArc 2.6.16.